Cyber Resilience

CVE-2025-15457

MediumPublic PoC

Published: 05 January 2026

Published
05 January 2026
Modified
15 January 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0051 39.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-15457 is a medium-severity Improper Authentication (CWE-287) vulnerability in 1234N Minicms. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2025-15457 is an improper authentication vulnerability (CWE-287) affecting bg5sbk MiniCMS versions up to 1.8. The issue resides in an unknown function within the file /minicms/mc-admin/post.php, part of the Trash File Restore Handler component. Published on 2026-01-05, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.

Remote attackers require no privileges or user interaction to exploit this vulnerability. Successful manipulation enables limited impacts on confidentiality, integrity, and availability, potentially allowing unauthorized access or actions via the trash file restore functionality. An exploit has been publicly disclosed and could be actively used.

Advisories from VulDB (ctiid.339490, id.339490, submit.725139) and a GitHub issue (ueh1013/VULN/issues/12) detail the flaw, noting that the vendor was contacted early but provided no response. No patches, mitigations, or vendor fixes are referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was found in bg5sbk MiniCMS up to 1.8. The impacted element is an unknown function of the file /minicms/mc-admin/post.php of the component Trash File Restore Handler. Performing a manipulation results in improper authentication. It is possible to initiate…

more

the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2025-15457 is an improper authentication vulnerability in a public-facing web application (MiniCMS admin component), directly enabling remote exploitation without privileges or interaction, matching T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-15458Same product: 1234N Minicms
CVE-2025-15456Same product: 1234N Minicms
CVE-2025-1044Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2026-7022Shared CWE-287
CVE-2024-13111Shared CWE-287
CVE-2026-29145Shared CWE-287
CVE-2018-25236Shared CWE-287
CVE-2024-53704Shared CWE-287
CVE-2024-57049Shared CWE-287

Affected Assets

1234n
minicms
≤ 1.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access, directly preventing unauthorized remote manipulation of the trash file restore handler due to improper authentication.

prevent

Requires unique identification and authentication for organizational users accessing admin functions, comprehensively addressing the CWE-287 improper authentication flaw.

preventrecover

Mandates timely identification, reporting, and correction of system flaws like the unpatched improper authentication in MiniCMS /mc-admin/post.php.

References